Data Breach PCI Compliance


The Cost of a Data Breach

In recent years, we’ve seen data breaches at the likes of Target, Hope Depot, Dairy Queen, Staples and Neiman Marcus, and there have been countless others at lesser known retailers around the U.S. Many of these breaches involve the theft of debit or credit card information. While there is much focus on the consumer in these situations, in reality they have a relatively painless experience. Because of a variety of state and federal laws, consumers are made aware of the breach and are often provided with free credit monitoring for a year. Further, their credit or debit card is replaced and, in general, consumers aren’t held accountable for any fraudulent charges. 

Retailers, on the other hand, not only suffer a public relations nightmare, but are susceptible to fines, penalties, and additional costs related to the loss of payment card data. In 2006, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. formed the Payment Card Industry Security Standards Council (PCI SSC). According to their website, the PCI SSC “develops, maintains, and manages the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements.” However, penalties for noncompliance are not imposed by the PCI SSC, but rather by the “payment brands and their partners.” 

Essentially, you have a council that cannot legally make a retail merchant be (or stay) compliant and, in the end, has no legislative authority to order reconciliatory action. So why is the PCI SSC of concern to retailers? Merchants that want to accept payment from the member companies must comply with the standards of the five organizations and, increasingly, merchants have to adapt to a market space that is increasingly driven by the use of credit and debit cards. According to the Federal Reserve Board, in 2012 there were an estimated 122.8 billion non-cash transactions, excluding wire transfers, with a value of $79 trillion. Now imagine not having the ability to accept the five major credit card brands.  

However, PCI SSC compliance doesn’t alleviate all concern. If a breach occurs, the retailer can be held responsible for fraud losses, the cost to reissue cards, and any additional fraud prevention and detection costs incurred by credit or debit card issuers. These costs will impact large, financially sound retailers, but they can cripple a smaller merchant. 

Traditional insurance policies are triggered by a legal action against an insured and usually exclude the breach of a contract the insured has entered into – an obvious conflict as contracts are the building blocks of the payment card industry.  Basically, a merchant contracts with a payment processor or bank which allows the merchant to accept payments via a credit or debit card. This contract is a Merchant Service Agreement (MSA).  When a sale occurs, the transaction is reconciled by the consumer’s card issuing bank or brand and funds are deposited into the merchant’s account. With a breach, it is common for card brands and banks to reconcile fraudulent charges back to the event and push associated costs back to the retailer.  When the charges are pushed back on the merchant as the source of the breach, there is a contractual obligation defined by the terms of the MSA, which can include significant fines depending on the particular credit card company or other financial remedies paid back to the merchant bank. Claims made insurance policies are generally triggered by demands for damages or lawsuits; these charges don’t necessarily fit that definition of claim.

How can retailers insure against the financial burden of an assessment and fines/penalties that accompany a breach and the theft of credit or debit card information?  Many carriers are at a crossroads. Underwriters recognize a systemic exposure across retail merchants accepting payment cards, but providing a solution means:
  1. amending the form to get around a breach of contract exclusion inherent in most policies,
  2. amending the definition of claim to respond to PCI DSS actions, and
  3. providing affirmative coverage for an indefensible punishment from a quasi-regulatory authority.
Further, the coverage grant is often made on the reliance that insureds are PCI compliant, yet the compliance model offers them no protection in the event of a breach.  In other words, there’s no immunity from punishment even if a retailer demonstrates that they are following the standards set by PCI.  

Understandably, many insurers are hesitant to provide the capacity that is needed in the retail space.  While there are solutions available, only a handful of markets offer full limits with coverage for most PCI-related costs.  More often, carriers limit their liability by providing small limits, only picking up certain portions of the exposure, providing defense only coverage, or only covering certain types of fines.  

It is increasingly important to know the costs associated with payment card breaches and be sure to find the right Cyberliability insurance solutions that will cover your client in the event of a breach.  Members of the AmWINS Financial Services Practice are available to help you find and understand the solutions available in the insurance marketplace.

This article was authored by Marc Lysse, an AmWINS Financial Services Practice Member in our Atlanta, GA office.
Contact Us

To learn more about how AmWINS can help you place coverage for your clients, reach out to your local AmWINS broker.  If you do not have a contact at AmWINS, please click here.

Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.

(c) 2017 AmWINS Group, Inc.

Most Popular Insights

5 Strategies for Successful Small Business Renewals During COVID


In the current economic climate, many small businesses are struggling and some may even fail. Despite these challenges and the continued hardening market, there is opportunity for retailers to write and retain business. This article provides guidance on navigating the complex small business marketplace and helps retailers fine tune their understanding of what insurable risks will look like over the next 12 to 24 months.

What Product Recall Insurance and Risk Mitigation Plan Is Right for Your Clients?


​Product recalls are one of the most damaging events a business may encounter. In order to effectively respond to an incident, companies must be prepared with proper risk management strategies. As policy wording varies, it's also critical to ensure your clients have the right policy type in place to appropriately address their first- and third-party exposures.

State of the Market - Q2 2020


Our Q2 2020 State of the Market report provides a holistic view of highly impacted industry segments as well as overall market trends. This report is designed to help our retailers gain the knowledge they need to retain accounts, write new business, overcome challenges and capitalize on opportunities that do exist.

10 Catastrophe Claim Tips for Severe Weather Season


Severe weather can be unpredictable and strike at any time. Help your clients be prepared in the event their property is damaged by a hurricane, tornado, hailstorm or similar disaster with these 10 catastrophe claim tips.

On-Demand Webinar: COVID-19 Economic Impact and Future Outlook


As a result of the COVID-19 crisis, our industry is facing a broad array of challenges that impact insureds of every size and in every industry. In the first of a series of webinars, we hear from an economist on the financial impacts of COVID-19 and what we can expect in the future. This webinar is intended to complement your conversations with clients about how to plan for the next 12 to 24 months.

Lloyd's CEO and Property Underwriters Share COVID-19 Response and Market Update


This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Property underwriters on how they view the pandemic's impact both the Property sector and their syndicate's business.

Lloyd's CEO and Casualty Underwriters Share COVID-19 Response and Market Update


This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Casualty underwriters on how they view the pandemic's impact both the Casualty sector and their syndicate's business.

Lloyd's CEO and Professional Underwriters Share COVID-19 Response and Market Update


This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Professional Lines underwriters on how they view the pandemic's impact both the Professional Lines sector and their syndicate's business.

Flood 101: What to Know About Standard Flood Insurance


Ninety-eight percent of all United States counties were impacted by a flood event in 2018, yet many property owners remain unaware of their true risk of flood or what their existing policies cover. This article highlights key statistics about flood risk and outlines the differences between the National Flood Insurance Program and private market flood insurance.

Professional Lines Challenges and Market Response During the COVID-19 Crisis


The COVID-19 crisis has created a rapidly changing environment for the Professional Lines market. With the uncertainty of how claims will develop and the potential for increased exposure, retailers must be proactive. In this article, AmWINS specialists share their insights on why this is more important now than ever, including reactionary underwriting trends, D&O policy exclusions and impacts to EPLI, as well as the threat for increased cyber attacks and crime losses.

Small Business and Personal Lines During the COVID Crisis


Loss of revenue caused by stay-at-home orders due to the coronavirus pandemic has affected small businesses and the insurance industry serving them significantly. As retailers and carriers prioritize their focus to adapt to the “new normal” of daily transactions, underlying market dynamics remain unchanged. In this article, our experts share their insight on the current changes that we are seeing the small business and personal lines market, and how to navigate the market a this time of uncertainty.

Mind the Gap: COVID-19's Impact on the Logistics Industry


The disruptive impact of the COVID-19 outbreak on supply chains is already having a pronounced effect on the world of logistics and logistics insurance. Port closures, demand surges and production shifts are requiring nimble response to keep up with change. This article arms insurance brokers with the information needed to understand the changes taking place and plan for what is likely to occur in the months ahead.

Navigating the Casualty Market’s Response to COVID-19


The Casualty market’s response to COVID-19 is continuously evolving. With a wide array of factors already impacting this sector pre-crisis, segments of the Casualty marketplace are responding to the pandemic differently. In this article, our industry specialists share overall themes in the Casualty market and take a closer look at how various segments are being impacted.

Top COVID-19 Issues Impacting Builder’s Risk Insurance


The COVID-19 pandemic is causing historical disruption to the construction industry. These changes mean that risk mitigation strategies need to be implemented or revisited, policy language should be reviewed, and carriers should be apprised of all changes at the work-site. In this article, AmWINS specialists examine the major areas of concern for Builder’s Risk insureds, including government-mandated shutdowns, supply chain-driven slowdowns and policy wording that could limit coverage, and provide guidance for retailers to achieve the best results for their clients.

State of the U.S. Logistics Insurance Market


For decades, the logistics insurance market has been considered a sub-market of the cargo or ocean marine market. However, the continual rise of e-commerce and its effect on the global supply chain has carved out a complex and expansive industry niche. This article provides insight into the various lines of coverage, the specialized underwriting approach, and rate surges within the U.S. logistics insurance market.

Lloyd’s & the London Market’s Response to COVID-19


During the COVID-19 pandemic, Lloyd’s remains open for business and syndicates have successfully transitioned to working from home. However, there are notable changes in how the London market is approaching business. In this article, specialists from THB, AmWINS’ London broker, share their insight on consistent themes across the London Market as well as updates on various lines of business.

COVID-19 Claims Advice


There have been a lot of questions regarding COVID-19, in particular about coverage and claims handling. This claims advice is intended to offer guidance to help our retail clients through these difficult times.

Insurance Impacts of COVID-19 on the Healthcare and Senior Living Industry


As the healthcare industry remains on the front lines of battling the COVID-19 pandemic, staying abreast of the changing landscape and how the insurance market is adapting is critical to ensure new exposures are covered and renewals are successfully placed. In this article, our specialists share what they are seeing in the Healthcare and Senior Care markets, tips for risk control and mitigation, and how to get the best results for insureds.

Statute of Limitations Changes Cast a Shadow on Public Entities


​Public entities are facing a climate of change as the market continues to harden and insureds are faced with double-digit rate increases in property and liability. Contributing to this disruption are statute of limitation changes for sexual abuse victims, which have extended or removed the time limit for which a victim can file a claim. This article examines the impact of increased claim activity and discusses considerations that need to be made to better manage costs during this time of uncertainty.​

COVID-19 – Are Your Clients Covered?


The disruption to business and everyday life caused by the coronavirus (COVID-19) pandemic is resulting in an economic impact for insureds. Much of this disruption is likely not covered by insurance. We have consulted with several AmWINS insurance specialists across the Property, Casualty and Professional Lines sectors and offer a COVID-19 update.

Sign Up For Our Monthly Newsletter

Sign Up